gchristensen changed the topic of #nixops to: NixOps related talk | logs: https://logs.nix.samueldr.com/nixops/ https://meet.jit.si/NixOpsReview
cole-h has joined #nixops
cole-h has quit [Client Quit]
cole-h has joined #nixops
ornxka has quit [Quit: No Ping reply in 180 seconds.]
ornxka has joined #nixops
cole-h has quit [Quit: Goodbye]
cole-h has joined #nixops
<cole-h_> gchristensen: "sorry cole :(" ?
<gchristensen> you left the channel right after I shared a nightmare
<cole-h_> Oh :D
<cole-h_> I'm always here...
cole-h has quit [Quit: Goodbye]
cole-h_ has quit [Quit: Goodbye]
pbb has quit [Ping timeout: 272 seconds]
pbb has joined #nixops
teto has joined #nixops
teto has quit [Ping timeout: 260 seconds]
typetetris has joined #nixops
<typetetris> if using nixops is a `system.stateVersion` in the configuration for a host still necessary? (using nixops for a nixos host)
teto has joined #nixops
<adisbladis> typetetris: stateVersion is saved in the nixops state and injected, so no.
<typetetris> adisbladis: thanks
<typetetris> seems like `network.description` has no effect for me `nixops list` still shows `Unnamed NixOps network`.
<typetetris> Is this to be expected?
<gchristensen> I think you have to do a deploy. `nixops list` uses cached data
<gchristensen> and a deploy updates the cache
<typetetris> gchristensen: thanks
<typetetris> yes
<typetetris> worked
<gchristensen> great!
lordcirth has joined #nixops
teto has quit [Ping timeout: 260 seconds]
teto has joined #nixops
cole-h has joined #nixops
cole-h_ has joined #nixops
cole-h__ has joined #nixops
cole-h has quit [Ping timeout: 265 seconds]
cole-h__ is now known as cole-h
teto has quit [Ping timeout: 244 seconds]
yimmy149 has joined #nixops
teto has joined #nixops
teto has quit [Ping timeout: 252 seconds]
<typetetris> I don't get, what the key management on a temporary file system protects me from. If someone hacks my server, its running and the keys are still there. Why is this temporary storage a thing?
<lordcirth> typetetris, there are many attacks which would get access to the hard drive only, whether because the hard drive is stolen, or they gain a copy of a VM image, etc
<typetetris> lordcirth: thanks
<cole-h> Is there a way to use a GPG auth subkey instead of letting nixops generate a new SSH keypair?
<cole-h> Oh hey, just gotta add it to my user.openssh.authorizedkeys lol
<cole-h> Derp.
<cole-h> Quick question: do changes to my `deployment.nix` get automatically pulled in, or do I need to do something special?
<gchristensen> hm?
<lordcirth> cole-h, where deployment.nix is the file you designated with nixops create?
<cole-h> Yes, sorry.
<gchristensen> just nixops deploy away
<lordcirth> Yes, changes will be read. You only need "nixops modify" if you want to change the set of filenames
<cole-h> e.g. I just added `{ install ? false }:` and `imports [ ... ] ++ lib.optional install ./host/install.nix` (for special first-install settings)
<gchristensen> first-install settings? like what?
<gchristensen> NixOS is best if there is no concept of "first install"
<cole-h> gpg-agent, so I can decrypt my git-crypt'd secrets. Maybe it's unnecessary, though, now that I've fixed h-m's gpg-agent config.
<cole-h> Actually, it's necessary because I use my gpg key for auth, and since my config repo is currently private, I need it to be able to pull my h-m config in the first place
<lordcirth> cole-h, so why is that different on the first install, from successive deploys?
<cole-h> I use (and prefer) h-m's gpg-agent, because it has more to customize... However, I'm now looking into if `programs.gnupg.agent` will actually work for me
<cole-h> OK, the main reason I used h-m's gpg-agent was because it can handle .gnupg/sshcontrol; however, I can just use `home.file.".gnupg/sshcontrol"`. Problem solved; I can now use NixOS's module and not need that "first install" stuff :D
<cole-h> ...I really hate that the gnome3 pinentry doesn't have a TTY/curses/terminal/whatever fallback like gtk2 does...
<yimmy149> could probably make a wrapper script that checks for DISPLAY and launches one or the other?
<cole-h> Except the NixOS gpg-agent hardcodes the pinentry to one of the flavors in `pkgs.pinentry.flavors`: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/programs/gnupg.nix#L100
<cole-h> Though I guess I could just set pinentryFlavor to null and then set `pinentry-program` in gpg-agent.conf...
teto has joined #nixops
cole-h has quit [Quit: Goodbye]
cole-h has joined #nixops
<cole-h> So, I just modified my `host/configuration.nix` and then ran `nixops deploy`, but `/etc/nixos/configuration.nix` is still different than `host/configuration.nix`. Is there something I need to do to make these changes take place, or am I misunderstanding something?
<adisbladis> cole-h: nixops makes no attempt to update `/etc/nixos/configuration.nix`
<adisbladis> What would we copy there?
<cole-h> Hm, I am misunderstanding something, then. Should I remove my /etc/nixos/configuration.nix, or are these two different things? I'm wanting to have stuff like `users.users.user.extraGroups = ["asdf"]` in the nixops-imported configuration.nix and have that take effect
<cole-h> When I `nixops deploy`, I'd expect for `user` to now be a part of group `asdf`
<yimmy149> I think this is something that ought to be added to the docs... It's not clear what hardware/boot things need to be included in nixops, as well as system.stateVersion.
<adisbladis> cole-h: In the case of nixops /etc/nixos/configuration.nix has no effect
<adisbladis> That's a nixos-rebuild thing
<cole-h> So nixops cannot replace nixos-rebuild?
<adisbladis> cole-h: Sure it can :)
<adisbladis> When you do `nixops deploy` it does something equivalent to `nixos-rebuild`
<adisbladis> It just doesn't take /etc/nixos/configuration.nix into account in any way
<adisbladis> Only whatever you have in your nixops deployment
<adisbladis> I have /etc/nixos/configuration.nix as a symlink pointing to the same file I import in my deployment.nix
<adisbladis> In case I need to nixos-rebuild to save my system
<adisbladis> I do a lot of screwy things, I have on occasion killed ssh access
<cole-h> Then, do you now how I should add a user to a group? Because my current trial of `users.users.user.extraGroups = [ "asdf" ];` doesn't appear to work.
<cole-h> s/now/know/
<yimmy149> is that file you import into deployment.nix closer to a hardware-configuration.nix than a configuration.nix in terms of content?
<adisbladis> cole-h: configuration.nix
<adisbladis> yimmy149: ^
<cole-h> Nope, I import `configuration.nix`, which was a carbon-copy of my /etc/nixos/configuration.nix until recently
<cole-h> (which itself imports hardware-configuration.nix)
<adisbladis> cole-h: Stupid question, but you are aware you need to log in/out of your session for new groups to appear ?
<cole-h> Yep, I was switching TTYs
<adisbladis> Alright, I don't know what to say..
<cole-h> I should probably paste my configuration.nix. One moment.
<cole-h> Wait
<cole-h> I might be an idiot
<yimmy149> did you cat /etc/group to see if it was modified?
<cole-h> The problem might be that I never enabled `virtualisation` (which in turn didn't add the `libvirtd` group)
<cole-h> lol
<adisbladis> :D
<cole-h> Yep. That did it... lol.
<adisbladis> cole-h: Isn't IRC great, you don't have to be all alone in your idiocy
<cole-h> Probably (another) stupid question: nixops creates generations a la nixos-rebuild, right?
<cole-h> Y'all are my rubber duck :D
<adisbladis> cole-h: Yep
<cole-h> Awesome. Great. Perfect.
<cole-h> <3 yimmy149 <3 adisbladis Love you all.
<{^_^}> adisbladis's karma got increased to 78
<{^_^}> yimmy149's karma got increased to 1
<yimmy149> I feel so validated.
<cole-h> So your hunch about /etc/group was totally right -- it was never modified :D
<cole-h> Though I guess it would be nice to see a warning if a user adds itself to a group that doesn't (yet) exist...
<yimmy149> why is your stateVersion = 20.09, do you live in the future?
<adisbladis> yimmy149: nixos-unstable has a default stateVersion for the next release
<cole-h> Yeah, I run unstable
<yimmy149> nice
<cole-h> Thanks again for your help, guys. I think I have 2 blockers left (just things I need to figure out, really) before I switch to NixOS permanently :D
<adisbladis> cole-h: Nice! Which blockers?
<cole-h> I need to figure out GPU passthrough via libvirt, and I need to setup transmission and friends for... uh, seeding the NixOS iso
* infinisil is using transmission too
<cole-h> (That's why I'm trying it out :D -- I used to use rutorrent on Arch)
<adisbladis> They're about to release transmission 3.0
<adisbladis> Which made it _much_ easier to build the Qt client
<cole-h> I was planning on just using the web client
<adisbladis> cole-h: The Qt client can speak the RPC procotol, you can use it to talk to a daemon instance
<cole-h> Oh, cool. So I can use both :D
<adisbladis> http://ix.io/2mLO/nix fwiw
<adisbladis> I'll get that into nixpkgs as soon as it's released
<cole-h> hot
<cole-h> Man, it's real cool that doing `nix-shell -p nixops --run 'nixops deploy'` Just Works™, without prompting for root perms (because it uses my auth key to ssh into itself... :D)
<yimmy149> I'm jealous, I'm using a git checkout of the libvirtd plugin, so I have to jump through more hoops
<gchristensen> I never managed to make that one actually work :?
<gchristensen> I didn't figure out how to make libvirtd work, really
<yimmy149> It's really picky about it's "default store" from what I can tell... I had issues creating it as root, and even as my user, sometimes it took two tries.
<gchristensen> yimmy149: maybe you could do a little nixops + libvirtd on NixOS tutorial?
<yimmy149> I'm not sure I'm qualified to do that, but I might be able to at least write a guide on the first steps... other issues I've run into, is that the VM disks are built in the /tmp ramdisk, and ignore any effort of mine to change TMP, TMPDIR, TEMP, TEMPDIR. So if I build two VMs at once it runs out of space trying to create the disks.
<gchristensen> that is okay you're already more qualified than I am, and I've merged PRs in to it .......
<gchristensen> would you be interested in helping maintain the repo? :)
<yimmy149> and private IPv4 is empty on the machines, nothing added to hosts. Not sure what the expectation is there with nixops?
<yimmy149> I can try to help, at least test some things. I did already comment on your poetry2nix PR (I'm jhillyerd@ on GH)
<gchristensen> awesome1
<gchristensen> !
<gchristensen> yeah if you could write up a short set of instructions, just even in reply to that PR, I'd really appreciate that
<yimmy149> sure
<gchristensen> thanks!
teto has quit [Ping timeout: 260 seconds]